1
Business Continuity and Compliance
Working Together
Kristy Justice, AVP
WaMu Card Services
08/19/2008
2
Business Continuity and Compliance: Working Together
Agenda Business Continuity Compliance: Looking at SOX and Basel II Cobit 4.0 Framework Working Together
3
Business Continuity
4
Business Continuity
What is Business Continuity Planning?Business Continuity establishes the basis for financial institutions to recover and resume business processes when operations have been disrupted unexpectedly.
Business Operations Technology Testing Communication Strategies
5
Business Continuity
Why is it Important?Financial institutions play a critical role in the overall economy. The assurance that disruptions in services are minimized will foster confidence in the overall financial system and trust from the public.
Additionally, Business Continuity Planning allows financial institutions to be prepared for the unexpected, and allow them to minimize potential financial losses, while continuing to service customers and financial markets.
6
Business Continuity
Business Continuity process comprises of four steps:
Business Impact Analysis Risk Assessment Risk Management Risk Monitoring and Testing
7
Business Continuity
The first step of Business Continuity ( BIA) is:
Identify and prioritize all business processes or functions
Identify the potential impact of the business disruption
Identify Legal and Regulatory requirements, if any
8
Business Continuity
Step two Risk Assessment looks at: Evaluating the Business Impact (from step 1) Analyzing threats based upon the impact to the
institution Prioritizing potential disruptions Performing a Gap Analysis
9
Business Continuity
Risk Management, the third step, focuses on:
Development, Implementation, and Maintenance of a BCP Plan. This includes the consideration of:
BIA and Risk Assessment from previous steps Written and specific to conditions to implement and steps
to take during implementation Proper Management of the plan, if supported by third
party Focused on the impact of various threats Effectiveness in minimizing service disruptions
10
Business Continuity
The forth step, Risk monitoring and testing, ensures the viability of the BCP through:
Incorporation of BIA and Risk Assessment into testing
Roles and responsibilities assignment for implementation of testing
Completion of BCP tests Evaluation and assessment of the test program
and results Revision of the BCP plan, if necessary
11
Compliance:Looking at SOX and Basel II
12
Compliance: SOX and Basel II
What is SOX? Drafted by Senator Paul Sarbanes and
Congressman Michael Oxley, the Sarbanes Oxley Act was signed into law on July 30, 2002 by President Bush.
It was enacted largely in response to a number of major corporate and accounting scandals such as Enron and MCI WorldCom, and applies to publicly traded companies and Auditors of such companies.
SOX requires an annual evaluation of internal controls and procedures for financial reporting in perpetuity.
13
Compliance: SOX and Basel IISOX Responsibilities The scope of SOX responsibilities include:
At least annual assessment and review of controls which include, but are not limited to, controls related to the prevention, identification, and detection of fraud.
The CEO is ultimately responsible and should assume “ownership” of the control system. However, everyone in the organization has some responsibility for internal controls. Our efforts directly impact the reporting by our Management
14
Compliance: SOX and Basel II
What is Basel? The Basel Committee was established by the central-
bank Governors of the Group of Ten countries at the end of 1974 and meets regularly four times a year.
In 1988, the Committee decided to introduce a capital measurement system commonly referred to as the Basel Capital Accord. This system provided for the implementation of a credit risk measurement framework with a minimum capital standard of 8% by end-1992
15
Compliance: SOX and Basel IIThe Basel II Framework, issued on July 4, 2006 is intended to be a comprehensive version and promote a more forward-looking approach to capital supervision, one that encourages banks to identify the risks they may face, today and in the future, and to develop or improve their ability to manage those risks. Categories include:
Risk Scenario Analysis and Inventory Loss Data Risk Control Self Assessment Economic Capital Reporting
16
Cobit 4.0 Framework
17
Cobit 4.0 FrameworkA Cobit Framework was established in support of Management’s realization of the significance that information can have to the success of an Enterprise, the expectation of a heightened understanding of operations, and the assurance of successful management so that the Enterprise can:
Achieve its objectives Be resilient to learn and adapt Judiciously manage risks Recognize opportunities and act upon them
18
Cobit FrameworkThis governance and control framework serves a variety of internal and external stakeholders and meets the objectives of:
Business focus to align Business and Technology objectives
Process oriented, with a specific structure Be consistent with best practices and standards Use a common language generally understandable
by all stakeholders Help meet regulatory requirements
19
Cobit 4.0 Framework
The Cobit Framework is comprised of: Plan and Organize Acquire and Implement Deliver and Support Monitor and Evaluate
Each of these categories has a list of Detailed Control Objectives specific to that category.
These objectives provide a framework for Enterprises to ensure they are compliant with regulatory policies and standards, including SOX, Basel II, and BCP.
20
Cobit 4.0 Framework
Within Cobit 4.0, Deliver and Support, there is an entire section DS4 that identifies controls specific to continuity. They include objectives such as: DS4.1 IT Continuity Framework DS4.2 Continuity Plans DS4.5 Testing of Continuity Plans
These objectives are directly in line with the goals of Business Continuity.
21
Working Together
22
Working Together
SOX
Basel IIBCP
Business Continuity, SOX, and Basel II are intertwined
23
Working Together – Common Threads
Within BCP, SOX, and Basel II programs, there are common threads:
Process identification and prioritization Risk assessment and evaluation Control identification and Gap Analysis Testing Remediation, when necessary
24
Working Together
Process Identification and Prioritization What are each of your Business process
This includes Business and Technology processes
Which processes are key or critical to continue “Business as Usual” Which processes have a direct impact to your
financials (General Ledger) Which processes are the key operational
processes to support your customers or stakeholders
25
Working Together
Risk Assessment and Evaluation For each of the processes deemed critical, what
are your risks? Operational, Resource, Financial, Data
What is your level of risk? High, Moderate, or Low Level of Risk Management understanding and approval of
processes and risks, and necessary efforts associated with identified risks.
26
Working Together
Control Identification and Gap Analysis For each risk identified as a High Risk, what are
the controls in place? How strong are these controls?
Are there any gaps within the process that do not control the risk? Does Management understand and approve gaps, or
do they need to be addressed?
27
Working Together
Testing and Remediation Perform testing to ensure controls in place are
working as expected. Report test results to Management Remediate weaknesses or Failures
Were there any failures during testing? Were the controls identified as weak during testing,
and did not meet the objectives?
28
Working Together
Although the reasons for each program may be different, the Enterprise objectives and activities that are set out
for Business Continuity, SOX, and Basel are the same: To ensure controls are in place that meet
regulatory requirements Reduce and mitigate risk, whether it is financial,
operational, or reputation Reduce the impact to internal or external
stakeholders
29
Working Together
Think about the synergy of your compliance programs and consider:
Are there redundancies within any of your Programs?
Can resources be more aligned to work more closely together?
Where can efforts be consolidated to be more efficient and cost effective, yet still meet the needs of your Enterprise and regulatory requirements?